Commit 50c7f17e authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

SMB: rangecheck values read off incoming packet 

CVE-2015-3237

Detected by Coverity. CID 1299430.

Bug: http://curl.haxx.se/docs/adv_20150617B.html
parent 3e7ec1e8

lib/smb.c

+9 −3
Original line number Diff line number Diff line
@@ -783,6 +783,12 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done) 
    off = Curl_read16_le(((unsigned char *) msg) +

                         sizeof(struct smb_header) + 13);

    if(len > 0) {

      struct smb_conn *smbc = &conn->proto.smbc;

      if(off + sizeof(unsigned int) + len > smbc->got) {

        failf(conn->data, "Invalid input packet");

        result = CURLE_RECV_ERROR;

      }

      else

        result = Curl_client_write(conn, CLIENTWRITE_BODY,

                                   (char *)msg + off + sizeof(unsigned int),

                                   len);